Servers that provide peer-to-peer (P2P) network services using Transmission Control Protocol (TCP) services are often susceptible to various types of Denial of Service (DoS) attacks, including Distributed Denial of Service (DDoS) attacks, from external hosts on the network. As the number of peers, or clients, in a P2P system increases—often to numbers exceeding tens of thousands—the risk of a DDoS attack also increases. In a typical DDoS attack, an attacking client may poison a centralized index table in a P2P system central server. Alternatively, an attacking client may poison distributed index tables in distributed servers. Innocent P2P clients use the information from the poisoned index tables to attack servers within the P2P system.
In one particular type of attack, known as a “synchronization (SYN) flood,” external hosts overwhelm the server by sending a constant stream of TCP connection requests to the server, which forces the server to allocate resources for each new connection until all of the server's resources are exhausted. In the case of a poisoned index table, the P2P system clients are inadvertent participants in the SYN flood attack.
Firewalls are often used to protect servers from being susceptible to a SYN flood attack. One technique that firewalls use to protect servers is called a “SYN cookie.” For each incoming synchronization (SYN) packet (or message), the firewall replies with a SYN/ACK packet (or message) with a particular signature in an Initial Sequence Number (ISN) (called a SYN cookie). The firewall will permit a TCP connection request to proceed to the server only if the ACK packet (or message) that the firewall receives from the client contains the correct signature. However, in the example of a poisoned index table, the inadvertent attack from a spoofed Internet Protocol (IP) address will appear to contain the correct signature. As a result, in such circumstance, the firewall might permit the TCP connection to reach the server, thereby subjecting the server to a DDoS attack.